XSS Filter Bypass in Edge

Tuesday, April 19, 2016 @ 04:04 PM gHale

There is a bypass for Microsoft Edge’s built-in XSS filter, a researcher found.

That means there is a way for attackers to run malicious JavaScript inside Edge while navigating various websites, despite some of the security measures that Microsoft has worked on to put in the browser, said Gareth Heyes, a researcher with PortSwigger.

XSS filters are present in almost all browsers, and they ended up added in to stop XSS (cross-site scripting) attacks at the browser level, before reaching the website and its users.

Browser makers have been fighting to bolster Web security by taking it in their hands to prevent some simplistic attacks like XSS and CSRF. For example, besides XSS, there are anti-CSRF measures also included with browsers in the form of anti-CSRF tokens passed to cookies.

“IE had a flaw in the past where you could use the location object as a function and combine toString/valueOf in an object literal to execute code. Basically you use the object literal as a fake array which calls the join function that constructs a string from the object literal and passes it to valueOf which in turn passes it to the location object,” Heyes said in a blog post.

As Heyes mentioned, this was a flaw that got ported from some Internet Explorer (IE) code that made it into Edge, even if Edge is a new product altogether.